We have cracked the problem of safely combining real-time tasks of different criticality on a single system image, removing the main show-stopper for complex mixed-criticality systems as they are emerging in cyberphysical systems such as autonomous vehicles.
Mixed-criticality systems (MCS) consolidate multiple functionalities of differing criticality (i.e. severity of failure). MCS are already a reality in avionics, although to date with severe restrictions. A core requirement of MCS is that the correct operation, including timeliness, of critical components must not depend on any less critical components. This requires enforcement of strong spatial and temporal isolation by the OS. Given that MCS are often life-critical, this isolation must be truly bullet-proof, and must be able to stop interference by less critical components that are potentially compromised by an attacker.
The industry-standard approach, e.g. mandated by avionics standard ARIC 653, uses strict time-and-space partitioning (TSP), where each component is sandboxed in a fixed memory partition and executes according to a statically configured schedule. This approach is too limiting for emerging MCS, as it inherently leads to poor resource utilisation and inhibits sharing across criticalities. Such sharing is important; e.g. in an autonomous aircraft, the less critical ground-station communication component must be able to update waypoints used by the highly-critical flight-control component.
The recently released MCS branch of the formally-verified seL4 microkernel is the first OS that truly matches the requirements of MCS. seL4 already provides provable spatial isolation, the MCS branch adds a scheduling model that provides the right temporal isolation. In particular, it provides time budget enforcement, that can prevent high-priority threads from monopolising the processor.
In this talk I will first give a refresher on seL4 and its formal verification story. I will then discuss the requirements of MCS in detail, based on example use cases, and explain why they cannot be matched by existing systems. I will then present the seL4 MCS support and show how it meets the requirements. I will also present autonomous aerial vehicle (AAV) case studies.
This talk was given at Linux.conf.au 2018 (LCA2018) which was held on 22-26 January 2018 in Sydney Australia.
linux.conf.au is a conference about the Linux operating system, and all aspects of the thriving ecosystem of Free and Open Source Software that has grown up around it. Run since 1999, in a different Australian or New Zealand city each year, by a team of local volunteers, LCA invites more than 500 people to learn from the people who shape the future of Open Source. For more information on the conference see https://linux.conf.au/